From jericho at attrition.org Mon Oct 3 01:16:56 2005
From: jericho at attrition.org (security curmudgeon)
Date: Mon Oct 3 01:16:59 2005
Subject: [VIM] H.323 protocol vulns
Message-ID:
via the PROTOS testing suite:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0056
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0097
then we see an "update" to the suite (guessing, they don't explicitly
state the name of the testing software):
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0498
http://www.uniras.gov.uk/niscc/docs/re-20041026-00956.pdf?lang=en
Were the different vulnerabilities every described in more detail? Or is
this a year+ later and everything is still vague?
From coley at mitre.org Wed Oct 5 17:08:43 2005
From: coley at mitre.org (Steven M. Christey)
Date: Wed Oct 5 17:11:12 2005
Subject: [VIM] MyBloggie SQL injection vuln variant
Message-ID: <200510052108.j95L8h9e027127@linus.mitre.org>
retrogod recently posted a null character / SQL injection issue in
myBloggie:
http://marc.theaimsgroup.com/?l=bugtraq&m=112818273307878&w=2
The affected version is 2.1.3beta, the app is login.php, and the
parameter is username. This is CAN-2005-3153.
This makes it sound like a rediscovery of an earlier post by OS2A:
http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2
which also has the same version, app, and parameter; this is
CAN-2005-2838.
However, retrogod's description shows this source code extract:
// Security precaution - sean 03 sep 2005
[!] if(ereg('[^A-Za-z0-9_]', $username)){
which is the fix for the older CAN-2005-2838.
So, the problem is that the fix is incomplete, and the retrogod issue
is really an interaction error / null character problem that, in this
case, happens to have resultant SQL injection.
In CVE's book, this makes it different enough to merit a new
candidate.
- Steve
======================================================
Candidate: CAN-2005-2838
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2838
Reference: BUGTRAQ:20050905 Vulnerability in myBloggie 2.1.3-beta and prior
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2
Reference: CONFIRM:http://mywebland.com/forums/showtopic.php?t=399
Reference: BID:14739
Reference: URL:http://www.securityfocus.com/bid/14739
Reference: SECUNIA:16699
Reference: URL:http://secunia.com/advisories/16699
Reference: XF:mybloggie-login-sql-injection(22162)
Reference: URL:http://xforce.iss.net/xforce/xfdb/22162
SQL injection vulnerability in login.php in myBloggie 2.1.3-beta and
earlier allows remote attackers to execute arbitrary SQL commands via
the username parameter.
======================================================
Candidate: CAN-2005-3153
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3153
Reference: BUGTRAQ:20051001 MyBloggie 2.1.3beta null char + SQL Injection -> Login Bypass
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112818273307878&w=2
Reference: MISC:http://rgod.altervista.org/mybloggie213b.html
Reference: SECTRACK:1014995
Reference: URL:http://securitytracker.com/id?1014995
login.php in MyBloggie 2.1.3 beta allows remote attackers to bypass a
regular expression check for invalid characters and conduct SQL
injection attacks via a null character in the username parameter, a
different vulnerability than CAN-2005-2838.
From coley at linus.mitre.org Wed Oct 5 17:13:33 2005
From: coley at linus.mitre.org (Steven M. Christey)
Date: Wed Oct 5 17:16:01 2005
Subject: [VIM] H.323 protocol vulns
In-Reply-To:
References:
Message-ID:
On Mon, 3 Oct 2005, security curmudgeon wrote:
> via the PROTOS testing suite:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0054
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0056
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0097
>
> then we see an "update" to the suite (guessing, they don't explicitly
> state the name of the testing software):
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0498
> http://www.uniras.gov.uk/niscc/docs/re-20041026-00956.pdf?lang=en
>
> Were the different vulnerabilities every described in more detail? Or is
> this a year+ later and everything is still vague?
I think everything is still vague.
- Steve
From coley at linus.mitre.org Wed Oct 5 23:56:06 2005
From: coley at linus.mitre.org (Steven M. Christey)
Date: Wed Oct 5 23:58:38 2005
Subject: [VIM] JVN#79314822 and Hitachi HS05-019 (fwd)
Message-ID:
FYI - by CVE's content decisions, if JVN#79314822 is for an existing
Tomcat issue, then I would not create a separate CAN for the hitachi
advisory.
CAN-2005-3164 is currently the placeholder for HS05-019, though it could
be rejected as a duplicate depending on JPCERT's answer.
Insert pathetic whining about vulnerability reports in other languages
here. wahh wahh wahhh, woe is us.
- Steve
---------- Forwarded message ----------
Date: Wed, 5 Oct 2005 23:52:06 -0400 (EDT)
From: Steven M. Christey
To: jvn@jvn.jp
Cc: coley@mitre.org
Subject: JVN#79314822 and Hitachi HS05-019
Hello JPCERT,
I have a question regarding Hitachi HS05-019. It links to
JVN#79314822, but I cannot read Japanese :) JVN#79314822 mentions
JavaServer Pages or Apache Tomcat, but that is all I can read.
Is JVN#79314822 related to any known issues in Tomcat? If so, do you
have any references in English for the problem?
Thank you,
Steve Christey
CVE Editor
From coley at mitre.org Thu Oct 6 01:31:58 2005
From: coley at mitre.org (Steven M. Christey)
Date: Thu Oct 6 01:34:30 2005
Subject: [VIM] Various CVE's for Windows 2000 SP4 update Rollup 1
Message-ID: <200510060531.j965VwKf011637@linus.mitre.org>
FYI, I slogged through Microsoft KB article 900345 for the Update
Rollup 1 for Microsoft Windows 2000 Service Pack 4 and found 10
security-relevant issues. There might be more than that, but these
were the ones that were clearly security-relevant.
- Steve
======================================================
Candidate: CAN-2005-3168
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3168
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:834424
Reference: URL:http://support.microsoft.com/kb/834424/
The SECEDIT command on Microsoft Windows 2000 before Update Rollup 1
for SP4, when using a security template to set Access Control Lists
(ACLs) on folders, does not apply ACLs on folders that are listed
after a long folder entry, which could result in less secure
permissions than specified by the template.
======================================================
Candidate: CAN-2005-3169
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3169
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:833873
Reference: URL:http://support.microsoft.com/kb/833873
Microsoft Windows 2000 before Update Rollup 1 for SP4, when the "audit
directory service access" policy is enabled, does not record a 565
event message for File Delete Child operations on an Active Directory
object in the security event log, which could allow attackers to
conduct unauthorized activities without detection.
======================================================
Candidate: CAN-2005-3170
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3170
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:883639
Reference: URL:http://support.microsoft.com/kb/883639
The LDAP client on Microsoft Windows 2000 before Update Rollup 1 for
SP4 accepts certificates using LDAP Secure Sockets Layer (LDAPS) even
when the Certificate Authority (CA) is not trusted, which could allow
attackers to trick users into believing that they are accessing a
trusted site.
======================================================
Candidate: CAN-2005-3171
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3171
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:884559
Reference: URL:http://support.microsoft.com/kb/884559
Microsoft Windows 2000 before Update Rollup 1 for SP4 records Event ID
1704 to indicate that Group Policy security settings were successfully
updated, even when the processing fails such as when Ntuser.pol cannot
be accessed, which could cause system administrators to believe that
the system is compliant with the specified settings.
======================================================
Candidate: CAN-2005-3172
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3172
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:824867
Reference: URL:http://support.microsoft.com/kb/824867
The WideCharToMultiByte function in Microsoft Windows 2000 before
Update Rollup 1 for SP4 does not properly convert strings with
Japanese composite characters in the last character, which could
prevent the string from being null terminated and lead to data
corruption or enable buffer overflow attacks.
======================================================
Candidate: CAN-2005-3173
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3173
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:821102
Reference: URL:http://support.microsoft.com/kb/821102
Microsoft Windows 2000 before Update Rollup 1 for SP4 does not apply
group policies if the user logs on using UPN credentials with a
trailing dot, which prevents Windows 2000 from finding the correct
domain controller and could allow the user to bypass intended
restrictions.
======================================================
Candidate: CAN-2005-3174
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3174
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:830847
Reference: URL:http://support.microsoft.com/kb/830847
Microsoft Windows 2000 before Update Rollup 1 for SP4 allows users to
log on to the domain, even when their password has expired, if the
fully qualified domain name (FQDN) is 8 characters long.
======================================================
Candidate: CAN-2005-3175
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3175
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:842742
Reference: URL:http://support.microsoft.com/kb/842742
Microsoft Windows 2000 before Update Rollup 1 for SP4 allows a local
administrator to unlock a computer even if it has been locked by a
domain administrator, which allows the local administrator to access
the session as the domain administrator.
======================================================
Candidate: CAN-2005-3176
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3176
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:891076
Reference: URL:http://support.microsoft.com/kb/891076
Microsoft Windows 2000 before Update Rollup 1 for SP4 does not record
the IP address of a Windows Terminal Services client in a security log
event if the client connects successfully, which could make it easier
for attackers to escape detection.
======================================================
Candidate: CAN-2005-3177
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3177
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:831375
Reference: URL:http://support.microsoft.com/kb/831375
Reference: MSKB:831374
Reference: URL:http://support.microsoft.com/kb/831374
CHKDSK in Microsoft Windows 2000 before Update Rollup 1 for SP4,
Windows XP, and Windows Server 2003, when running in fix mode, does
not properly handle security descriptors if the master file table
contains a large number of files or if the descriptors do not satisfy
certain NTFS conventions, which could cause ACLs for some files to be
reverted to less secure defaults, or cause security descriptors to be
removed.
From jericho at attrition.org Fri Oct 7 07:20:34 2005
From: jericho at attrition.org (security curmudgeon)
Date: Fri Oct 7 07:20:43 2005
Subject: [VIM] Various CVE's for Windows 2000 SP4 update Rollup 1
In-Reply-To: <200510060531.j965VwKf011637@linus.mitre.org>
References: <200510060531.j965VwKf011637@linus.mitre.org>
Message-ID:
Also:
Microsoft Windows XP Wireless Zero Configuration Credential/Key Disclosure
http://www.secunia.com/advisories/17064/
http://support.microsoft.com/default.aspx?scid=kb;EN-US;893357
http://www.soonerorlater.hu/index.khtml?article_id=62
http://osvdb.org/19873
From coley at mitre.org Fri Oct 14 13:48:21 2005
From: coley at mitre.org (Steven M. Christey)
Date: Fri Oct 14 13:51:26 2005
Subject: [VIM] vendor dispute for CAN-2005-1244 (NetIQ iSeries directory
traversal)
Message-ID: <200510141748.j9EHmLWE023591@linus.mitre.org>
CVE received an email from NetIQ disputing the following issue. The
dispute was apparently confirmed by another VDB. In the original
report, the researcher claims that NetIQ did not respond to his
inquiries, which probably contributed to the likely-incorrect report.
- Steve
======================================================
Candidate: CAN-2005-1244
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1244
Reference: BUGTRAQ:20050420 Canonicalization and directory traversal in iSeries FTP security products
Reference: URL:http://www.securityfocus.com/archive/1/396628
Reference: MISC:http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf
** DISPUTED **
Directory traversal vulnerability in the third party tool from NetIQ,
as used to secure the iSeries AS/400 FTP server, allows remote
attackers to access arbitrary files, including those from qsys.lib,
via ".." sequences in a GET request. NOTE: the vendor has disputed
this issue, saying that "neither NetIQ Security Manager nor our
iSeries Security Solutions are vulnerable."
From jericho at attrition.org Sun Oct 16 06:23:42 2005
From: jericho at attrition.org (security curmudgeon)
Date: Sun Oct 16 06:23:53 2005
Subject: [VIM] vendor dispute for CAN-2005-1244 (NetIQ iSeries directory
traversal)
In-Reply-To: <200510141748.j9EHmLWE023591@linus.mitre.org>
References: <200510141748.j9EHmLWE023591@linus.mitre.org>
Message-ID:
: CVE received an email from NetIQ disputing the following issue. The
: dispute was apparently confirmed by another VDB. In the original
: report, the researcher claims that NetIQ did not respond to his
: inquiries, which probably contributed to the likely-incorrect report.
I think I recall Stuart/SecTracker dealing with NetIQ over this, but not
entirely sure. I also remember OSVDB working on this, and/or
communicating with the vendor. We ended up adding it as a myth/fake
report:
http://osvdb.org/15791
Vuln Desc:
NetIQ Security Manager has been reported to contain a flaw allowing a
remote attacker to access files outside of the FTP root path, bypassing
its intended functionality. The original report indicated NetIQ and
several other products were vulnerable to an underlying traversal issue in
the iSeries product. Further examination and testing has revealed that
NetiQ Security Manager is not vulnerable to this issue.
From jericho at attrition.org Sun Oct 16 07:10:48 2005
From: jericho at attrition.org (security curmudgeon)
Date: Sun Oct 16 07:10:51 2005
Subject: [VIM] Various CVE's for Windows 2000 SP4 update Rollup 1
In-Reply-To: <200510060531.j965VwKf011637@linus.mitre.org>
References: <200510060531.j965VwKf011637@linus.mitre.org>
Message-ID:
: FYI, I slogged through Microsoft KB article 900345 for the Update Rollup
: 1 for Microsoft Windows 2000 Service Pack 4 and found 10
: security-relevant issues. There might be more than that, but these were
: the ones that were clearly security-relevant.
Good stuff. I am currently doing the same for the Sun Java System
Directory Server. The last changelog had a huge list of bugs including ~
7 or 8 security issues, and a couple *dozen* potential DoS attacks. We
may end up grouping some of the DoS attacks together depending on the
information (or lack of) though. Once I get it all sorted out i'll post a
summary here.
From smoore at securityglobal.net Sun Oct 16 19:50:18 2005
From: smoore at securityglobal.net (Stuart Moore)
Date: Sun Oct 16 19:54:02 2005
Subject: [VIM] vendor dispute for CAN-2005-1244 (NetIQ iSeries directory
traversal)
In-Reply-To:
References: <200510141748.j9EHmLWE023591@linus.mitre.org>
Message-ID: <4352E73A.9080507@securityglobal.net>
This NetIQ report was not one of the disputes that we were involved with.
Stuart
security curmudgeon wrote:
> : CVE received an email from NetIQ disputing the following issue. The
> : dispute was apparently confirmed by another VDB. In the original
> : report, the researcher claims that NetIQ did not respond to his
> : inquiries, which probably contributed to the likely-incorrect report.
>
> I think I recall Stuart/SecTracker dealing with NetIQ over this, but not
> entirely sure. I also remember OSVDB working on this, and/or
> communicating with the vendor. We ended up adding it as a myth/fake
> report:
>
> http://osvdb.org/15791
>
> Vuln Desc:
> NetIQ Security Manager has been reported to contain a flaw allowing a
> remote attacker to access files outside of the FTP root path, bypassing
> its intended functionality. The original report indicated NetIQ and
> several other products were vulnerable to an underlying traversal issue in
> the iSeries product. Further examination and testing has revealed that
> NetiQ Security Manager is not vulnerable to this issue.
>
--
Stuart Moore
SecurityTracker.com
SecurityGlobal.net LLC
smoore@securityglobal.net
+1 301 495 5930 voice
+1 413 691 4346 fax
From coley at mitre.org Sun Oct 23 01:25:07 2005
From: coley at mitre.org (Steven M. Christey)
Date: Mon Oct 24 03:06:19 2005
Subject: [VIM] Chipmunk XSS is likely resultant from SQL injection
Message-ID: <200510230525.j9N5P7XN011442@linus.mitre.org>
I'm not in the mood at this instant to deal with this entirely, but I
thought I'd mention it:
XSS & Path Disclosure in Chipmunk's products
http://marc.theaimsgroup.com/?l=bugtraq&m=112982490104274&w=2
This is likely another example of primary SQL injection with resultant
XSS from an error message, being labeled only as XSS by the
researcher.
A download of the Forum product and a quick glance at quote.php shows
that the $forumID variable is used in several SQL queries, e.g.:
> $getforuminfo="SELECT * from b_forums where ID='$forumID'";
and
> $posting="INSERT INTO b_posts (author, title, post,timepost, telapsed, threadparent, postforum, lastpost,nosmilies,ipaddress ) values ('$name', '$title', '$post', '$day', '$timegone', '$threadparent', '$forumID','$user','$nosmiley','$s')";
Interestingly, later vectors in the code suggest there might be real
XSS.
- Steve
From jericho at attrition.org Mon Oct 24 19:36:12 2005
From: jericho at attrition.org (security curmudgeon)
Date: Mon Oct 24 19:36:16 2005
Subject: [VIM] FlatNuke
Message-ID:
OSVDB 19114
http://archives.neohapsis.com/archives/bugtraq/2005-08/0442.html
usr variable XSS
http://archives.neohapsis.com/archives/bugtraq/2005-10/0276.html
user variable XSS
Makes me wonder if one of them is a typo and this is the same issue..
From coley at linus.mitre.org Tue Oct 25 00:26:52 2005
From: coley at linus.mitre.org (Steven M. Christey)
Date: Tue Oct 25 00:32:28 2005
Subject: [VIM] FlatNuke
In-Reply-To:
References:
Message-ID:
> OSVDB 19114
> http://archives.neohapsis.com/archives/bugtraq/2005-08/0442.html
>
> usr variable XSS
>
> http://archives.neohapsis.com/archives/bugtraq/2005-10/0276.html
>
> user variable XSS
>
>
>
> Makes me wonder if one of them is a typo and this is the same issue..
My immediate guess is that it isn't. I haven't used PHP myself, but I've
gleaned from lots of staring at URLs that:
- modules.php is usually a dispatcher for lots of other functionality
- "op" or "action" and similar parameters are usually dispatchers as well
In this case, the "usr" variable was in an "op=vis_reg" and the "user"
variable is in an" op=profile", both accessible from an index.php.
Actually, I just confirmed this via source code inspection - there's a
vis_reg() with a $_GET['usr'] and a profile() with a $_GET['user'] etc.
Since I'm here, might as well confirm, by source inspection, the user
"file inclusion" issue (which doesn't appear to be an "include" issue per
se, but does involve dumping contents of a file into the resulting page).
from forum/index.php:
[874]function profile(){
...
[876]$user=$_GET['user'];
...
[891]$fp=file("users/$user.php");
...
[895]>
** but ** the other two elements look like they're not full file reading:
function topic(){
...
$quale=$_GET['quale'];
...
$string=get_file("topics/$quale.xml");
$posts=get_xml_array("ff:post",$string);
...
$unsplitpost = $posts[$x];
...
$poster=get_xml_element("ff:poster",$unsplitpost);
...
$subj=get_xml_element("ff:subj",$unsplitpost);
etc.
function newtopic(){
...
$quale=$_GET['quale'];
$string=get_file("topics/$quale.xml");
$subjtmp="Re: ".get_xml_element("ff:topic",$string);
topic() and newtopic() seem to be just grabbing a single element out of a
well-formed input file; so it's a limited cross-user information leak at
best, it seems. Not sure, though.
Also looked at the original post. Confirmed (by source inspection only)
the vis_reg XSS. The "mod=read" and "news=DEVICE" issues - all of them -
seem to be related to file opening or file access errors underneath, i.e.
items (2) and (3) appear to be resultant from basic pathname manipulation
/ directory traversal in (4).
- Steve
From coley at mitre.org Tue Oct 25 21:06:42 2005
From: coley at mitre.org (Steven M. Christey)
Date: Tue Oct 25 21:07:00 2005
Subject: [VIM] Blaming product vendors for other vendors' "features"
Message-ID: <200510260106.j9Q16g31011693@linus.mitre.org>
How are other VDB's handling situations in which Internet Explorer
automatic type detection feature renders HTML in .GIF/.JPG files as if
it's HTML? Theoretically, every single web application that allows
uploads is "vulnerable" - is it really the application vendors'
responsibility to work around this "feature"? From a VDB perspective
I don't like the idea of "blaming" the wrong party and/or adding
dozens or hundreds of entries for products that don't work around
another product's feature.
These fall under a class of vulns that I call "multiple interpretation
errors" in which one product assumes "good" behavior of other products
that don't actually behave. A-V products get hit on these a lot, but
in those cases I think they should share some of the "blame" since
they are supposed to know how the inputs are going to be handled by
end systems.
Insert comment about Jon Postel's great motto "Be liberal in what you
accept, and conservative in what you send" being an impediment to
systemic security.
- Steve
======================================================
Name: CVE-2005-3310
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3310
Reference: BUGTRAQ:20051022 phpBB 2.0.17 (and other BB systems as well) Cookie disclosure
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=113017003617987&w=2
Reference: FULLDISC:20051022 phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0479.html
Reference: BID:15170
Reference: URL:http://www.securityfocus.com/bid/15170/
Reference: SECUNIA:17295
Reference: URL:http://secunia.com/advisories/17295/
Reference: XF:phpbb-avatar-bypass-security(22837)
Reference: URL:http://xforce.iss.net/xforce/xfdb/22837
Multiple interpretation error in phpBB 2.0.17, with remote avatars and
avatar uploading enabled, allows remote authenticated users to inject
arbitrary web script or HTML via an HTML file with a GIF or JPEG file
extension, which causes the HTML to be executed by a victim who views
the file in Internet Explorer, which renders malformed image types as
HTML, enabling cross-site scripting (XSS) attacks. NOTE: it could be
argued that this vulnerability is due to a design flaw in Internet
Explorer that should not require all web-based applications to work
around; if so, then this should not be treated as a vulnerability in
phpBB.
From jericho at attrition.org Tue Oct 25 21:20:03 2005
From: jericho at attrition.org (security curmudgeon)
Date: Tue Oct 25 21:20:05 2005
Subject: [VIM] Blaming product vendors for other vendors' "features"
In-Reply-To: <200510260106.j9Q16g31011693@linus.mitre.org>
References: <200510260106.j9Q16g31011693@linus.mitre.org>
Message-ID:
: How are other VDB's handling situations in which Internet Explorer
: automatic type detection feature renders HTML in .GIF/.JPG files as if
: it's HTML?
So far, we're making seperate entries but I recognized this recently and
wondered. Before this, the other possibly similar thing that came up was
some XSS vulns that only occur if the victim uses MSIE.
: Theoretically, every single web application that allows uploads is
: "vulnerable" - is it really the application vendors' responsibility to
: work around this "feature"? From a VDB perspective I don't like the
: idea of "blaming" the wrong party and/or adding dozens or hundreds of
: entries for products that don't work around another product's feature.
Ditto, but the obvious problem is isolating exactly what is causing it and
making it well known. This will help prevent subsequent reports and
copycat vuln disclosures.
From coley at linus.mitre.org Tue Oct 25 21:28:17 2005
From: coley at linus.mitre.org (Steven M. Christey)
Date: Tue Oct 25 21:28:35 2005
Subject: [VIM] Blaming product vendors for other vendors' "features"
In-Reply-To:
References: <200510260106.j9Q16g31011693@linus.mitre.org>
Message-ID:
On Tue, 25 Oct 2005, security curmudgeon wrote:
> So far, we're making seperate entries but I recognized this recently and
> wondered. Before this, the other possibly similar thing that came up was
> some XSS vulns that only occur if the victim uses MSIE.
I was thinking about that in general. Netscape had some of its own
unusual constructs that would escape normal XSS filters.
But you see this kind of stuff all over the place in A-V, even with
corrupted files that are rejected by most - but not all - tools (e.g.
CVE-2005-3210 through CVE-2005-3235).
I think this kind of happened with MS-DOS device names a number of years
ago, when it used to cause a blue screen. Various products had to put in
defenses/workarounds to protect themselves against what was basically an
OS bug.
> Ditto, but the obvious problem is isolating exactly what is causing it and
> making it well known. This will help prevent subsequent reports and
> copycat vuln disclosures.
One can hope ;-) although it's a rather interesting example of how
apparently cosmetic design choices can have major side effects.
- Steve
From sullo at cirt.net Tue Oct 25 21:34:43 2005
From: sullo at cirt.net (Sullo)
Date: Tue Oct 25 21:35:08 2005
Subject: [VIM] Blaming product vendors for other vendors' "features"
In-Reply-To:
References: <200510260106.j9Q16g31011693@linus.mitre.org>
Message-ID: <435EDD33.4090308@cirt.net>
security curmudgeon wrote:
>: How are other VDB's handling situations in which Internet Explorer
>: automatic type detection feature renders HTML in .GIF/.JPG files as if
>: it's HTML?
>
>So far, we're making seperate entries but I recognized this recently and
>wondered. Before this, the other possibly similar thing that came up was
>some XSS vulns that only occur if the victim uses MSIE.
>
>
Well, I read the info that sparked this and decided that it's an IE
problem, not a particular web app. So I'd argue it should be listed as a
flaw in IE, not in the products that store and send the image file as an
"image."
After all... the list of products impacted by this is probably
everything out there that gets/stores/displays an image--even if they
are doing (some) verification... but the root "problem" is that IE does
something it probably shouldn't.
-Sullo
--
http://www.cirt.net/ | http://www.osvdb.org/
From jericho at attrition.org Tue Oct 25 21:39:00 2005
From: jericho at attrition.org (security curmudgeon)
Date: Tue Oct 25 21:39:03 2005
Subject: [VIM] Blaming product vendors for other vendors' "features"
In-Reply-To:
References: <200510260106.j9Q16g31011693@linus.mitre.org>
Message-ID:
: But you see this kind of stuff all over the place in A-V, even with
: corrupted files that are rejected by most - but not all - tools (e.g.
: CVE-2005-3210 through CVE-2005-3235).
:
: I think this kind of happened with MS-DOS device names a number of years
: ago, when it used to cause a blue screen. Various products had to put
: in defenses/workarounds to protect themselves against what was basically
: an OS bug.
Not just a few years ago =) We're still seeing the classic MS-DOS Device
Name DoS today.
From jericho at attrition.org Thu Oct 27 06:35:37 2005
From: jericho at attrition.org (security curmudgeon)
Date: Thu Oct 27 06:35:39 2005
Subject: [VIM] Blaming product vendors for other vendors' "features"
In-Reply-To: <200510260106.j9Q16g31011693@linus.mitre.org>
References: <200510260106.j9Q16g31011693@linus.mitre.org>
Message-ID:
: How are other VDB's handling situations in which Internet Explorer
: automatic type detection feature renders HTML in .GIF/.JPG files as if
: it's HTML? Theoretically, every single web application that allows
: uploads is "vulnerable" - is it really the application vendors'
: responsibility to work around this "feature"? From a VDB perspective I
: don't like the idea of "blaming" the wrong party and/or adding dozens or
: hundreds of entries for products that don't work around another
: product's feature.
I revamped our entry for this (OSVDB 20248), now titled "Microsoft IE
Embedded Content Processing XSS".
I think there was a post prior to this, calling out a certain application
as vulnerable "only if the person uses IE", but I don't recall what vuln
it was, or if it was the same issue.
From coley at mitre.org Fri Oct 28 17:13:25 2005
From: coley at mitre.org (Steven M. Christey)
Date: Fri Oct 28 17:13:55 2005
Subject: [VIM] vendor inquiry on eRoom issues
Message-ID: <200510282113.j9SLDPdw016979@linus.mitre.org>
FYI, I sent an email inquiry to EMC about the eRoom vulns from July
(see below). We got an inquiry about it.
They are investigating the issue.
- Steve
======================================================
Name: CVE-2005-2184
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2184
Reference: BUGTRAQ:20050706 eRoom Multiple Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112069267700034&w=2
eRoom 6.x does not properly restrict files that can be attached, which
allows remote attackers to execute arbitrary commands via a .lnk file.
======================================================
Name: CVE-2005-2185
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2185
Reference: BUGTRAQ:20050706 eRoom Multiple Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112069267700034&w=2
eRoom does not set an expiration for Cookies, which allows remote
attackers to capture cookies and conduct replay attacks.
From coley at mitre.org Sat Oct 29 13:30:26 2005
From: coley at mitre.org (Steven M. Christey)
Date: Sat Oct 29 13:31:02 2005
Subject: [VIM] Saphp Lesson
Message-ID: <200510291730.j9THUQlW016772@linus.mitre.org>
Regarding this post by aLMaSTeR:
BUGTRAQ:20051024 SQL saphp Lesson
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=113018965520240&w=2
I've been cruising Google for a while, and it took ages to figure out
what "saphp" is/was. I tried alternate spellings such as
"saphplesson" and "saphp lesson", to no avail. The only matches were
vulnerability reports.
However, "saphpLesson2.0" seems to point to various web sites that use
showcat.php and the forumid parameter. The sites are using some
Arabic language. The "dros/" part of the URL does not seem to be
inherent to the product.
The source site may have been www.saphp.com, but the site currently
doesn't have any information on it.
Other useful search strings are "saphp Lesson1.1"
- Steve
From jericho at attrition.org Sat Oct 29 14:53:36 2005
From: jericho at attrition.org (security curmudgeon)
Date: Sat Oct 29 14:53:38 2005
Subject: [VIM] Saphp Lesson
In-Reply-To: <200510291730.j9THUQlW016772@linus.mitre.org>
References: <200510291730.j9THUQlW016772@linus.mitre.org>
Message-ID:
: I've been cruising Google for a while, and it took ages to figure out
: what "saphp" is/was. I tried alternate spellings such as "saphplesson"
: and "saphp lesson", to no avail. The only matches were vulnerability
: reports.
:
: However, "saphpLesson2.0" seems to point to various web sites that use
: showcat.php and the forumid parameter. The sites are using some Arabic
: language. The "dros/" part of the URL does not seem to be inherent to
: the product.
:
: The source site may have been www.saphp.com, but the site currently
: doesn't have any information on it.
Yep, I had to use archive.org to find older versions, and even reported
this web site to zone-h as a defacement. It only said "lord byron" (with
elite speak), which I believe is a known defacer.
archive.org didnt help much as the site is in arabic(?)
From jericho at attrition.org Sat Oct 29 14:57:35 2005
From: jericho at attrition.org (security curmudgeon)
Date: Sat Oct 29 14:57:37 2005
Subject: [VIM] defacement (fwd)
Message-ID:
---------- Forwarded message ----------
From: security curmudgeon
To: Zone-H
Date: Tue, 25 Oct 2005 17:20:14 -0400 (EDT)
Subject: defacement
while digging into some vulnerabilities posted to bugtraq, found a vendor page
that appears to be defaced. no clue when it happened
original:
http://web.archive.org/web/20041024043300/http://www.saphp.com/
currently:
http://www.saphp.com/